As artificial intelligence (AI) permeates industries and daily life, the Korean government is overhauling rules governing the use of "pseudonymized data" — a key element for AI development — to better reflect current realities. The plan aims to dramatically boost data utilization by simplifying complex procedures and removing unnecessary regulations.
The Personal Information Protection Commission (PIPC) announced on the 31st that it will fully revise its "Guidelines for Processing Pseudonymized Data" to reflect the rapidly changing AI data environment. The PIPC conducted surveys and in-depth interviews with officials from 50 AI companies and 1,441 public institutions to identify field-level difficulties, actively incorporating the findings into the new guidelines.
First, the commission established a standardized risk assessment framework. Under the previous system, assessments relied on subjective judgment by individual officers, leading to persistent complaints about inconsistent outcomes for identical cases and diminished predictability.
The PIPC now classifies risk into three clear tiers based on the intended use and the data processing environment. Internal use is categorized as "low risk," while provision to third parties is classified as "medium risk" or "high risk" depending on whether the environment can be controlled. The framework also allows flexible upward or downward adjustments to risk levels, taking into account the specifics of individual cases and internal institutional guidelines.
The burdensome procedures and extensive paperwork required for pseudonymization will also be significantly reduced. The commission applied differentiated review processes and documentation requirements so that lower-risk cases can be processed more quickly and simply. The total number of document forms was consolidated from 24 to 10.
Operational standards were also updated to keep pace with advances in AI technology. A notable change is the establishment of a framework allowing the same pseudonymized data to be reused for similar purposes. For example, when applying AI originally developed for research to another field, the previous system required restarting the pseudonymization process from scratch. Going forward, users can designate "expandable purposes" in advance and have them reviewed together.
In addition, the commission introduced more flexible standards for setting data processing periods, enabling continued use of pseudonymized data for as long as needed to advance AI services. For large-scale unstructured data such as video, images, and text — where a full inspection is practically impossible — a "sample inspection" method was also introduced, allowing verification of only a selected portion.
PIPC Chairperson Song Kyung-hee said, "The pseudonymized data system has long posed high barriers to entry in the field due to complex procedures and conservative operation." She added, "As we have thoroughly listened to voices from the field and fully revamped the guidelines based on substantive risk levels, this will serve as a turning point for dramatically expanding the safe and effective use of pseudonymized data in the accelerating AX (AI transformation) environment."